iOS certificate pinning is a client-side control, so on a jailbroken or virtualized device that a tester controls, it can be bypassed with instrumentation such as Objection and Frida, or a system-wide tweak like SSL Kill Switch, all of which force the app's trust checks to pass. This is a known limit of any pinning implementation, not a specific flaw. The defensive value of understanding it is to test your own app on a device you own, confirm that pinning is actually working and is not trivially bypassable, and remember what pinning does and does not protect: it stops network interception for users on healthy devices, but it does not stop the owner of a compromised device from seeing their own traffic.
Short answer
Certificate pinning protects the channel on healthy devices, but a tester on a jailbroken or virtual iOS device can disable it. Objection's ios sslpinning disable command and Frida scripts hook the trust-evaluation functions to make pinning pass, and SSL Kill Switch disables validation system-wide on a jailbroken device. Per the OWASP MASVS, pinning strengthens transport security but is a client-side control that a compromised device can defeat. Use this only to test your own app on hardware you own, ideally with a proxy, and remediate by pinning robustly and, above all, enforcing trust server-side, since pinning does not protect your API from a user who controls their device.
What certificate pinning does and why it can be bypassed
Certificate pinning has your app check the server's certificate or public key against a copy pinned in the app, so it accepts a connection only from your real server and rejects a substitute, even one signed by an otherwise trusted certificate authority. This defeats a common network attack: an interceptor who installs a rogue but trusted certificate to read traffic is blocked, because their certificate does not match the pin. For users on normal devices, pinning is a real and worthwhile defense against man-in-the-middle interception.
It can be bypassed for the same structural reason every client-side control can: the pinning check runs as code inside your app, and on a device the attacker controls, that code can be altered. The trust decision ultimately calls a function that returns whether the certificate is acceptable, and on a jailbroken or instrumented device a tester can hook that function to always return success, so the app proceeds as if the pin matched. This is not a defect in your pinning library; it is a property of running the check on hardware the tester owns, which is exactly the situation resilience testing assumes.
SSL Kill Switch, Frida, and Objection
The common iOS bypass tools fall into instrumentation and system-wide tweaks. Objection, built on Frida, includes an ios sslpinning disable command that hooks the standard iOS trust-evaluation paths, such as the Secure Transport and network trust APIs and popular networking libraries, so pinning checks pass. Frida on its own can attach to your running app and hook the specific trust functions, which is the flexible, scriptable approach testers use to target a particular implementation.
SSL Kill Switch, currently in its second and third generations, is the system-wide option: it is a tweak installed on a jailbroken device that disables certificate validation and pinning across the whole system by hooking the trust-evaluation machinery, so every app's pinning stops working. The difference is scope and audience. Objection and Frida are targeted tools for testing a specific app, while SSL Kill Switch broadly disables pinning on the device. All three achieve the same end for your app, forcing the pinning check to pass, because all three operate on the client where that check runs.
Corellium and test environment setup
Because these techniques need a jailbroken or otherwise controllable iOS environment, testers use either a physical jailbroken device or a virtual one, and Corellium is the common virtual option. Corellium provides virtualized iOS devices in software, letting you run and instrument iOS, including a jailbroken state, without a physical jailbroken phone, which is why it appears in professional mobile security testing. A typical setup is a virtual or physical device you control, your own app installed on it, Frida or Objection attached, and an intercepting proxy such as a network proxy tool to observe the traffic once pinning is disabled.
Set the environment up responsibly. Only test applications you have the right to test, use a device or virtual instance you own or are authorized to use, keep it isolated from personal accounts and production systems, and record findings so you can act on them. This mirrors how OWASP MASTG frames network and resilience testing: a controlled exercise to confirm whether pinning behaves as intended and where it fails. The point of standing up Corellium or a jailbroken device is to audit your own app's transport security, not to interfere with anyone else's traffic.
What pinning actually protects
Being precise about what pinning protects prevents a dangerous misuse of it. Pinning protects your users on healthy devices from a network attacker who tries to intercept their traffic, which is a genuine threat on hostile networks, so it is worth implementing. It hardens the transport channel against interception by a third party who is not the device owner, and that is its proper role.
What pinning does not do is protect your API from the owner of the device. A user who controls their own device can bypass pinning and observe the traffic their own app sends, so pinning is not an anti-reverse-engineering measure or a way to keep your API private from your own users. Treating it as such leads to designs that assume the client can be trusted once pinning is in place, which is false on a compromised device. The correct mental model is that pinning secures the channel against outsiders, while the device owner can always see their own traffic, so anything that must be protected from that user has to be enforced elsewhere.
Remediation: robust pinning and server-side trust
Remediation has two parts: implement pinning well, and never rely on it alone. Pin to the public key or subject public key info rather than a leaf certificate so rotation is manageable, include backup pins so a certificate change does not break your app, and consider a native implementation, which is harder to hook than a drop-in library. These steps raise the effort required to bypass pinning and keep it working smoothly for legitimate users, which is the realistic goal.
The more important half is server-side trust. Because a determined user can defeat client pinning, the server must authenticate and authorize every request rather than trusting the client because pinning is present, and sensitive operations should be gated on server-side checks. For stronger assurance that a request comes from your genuine, unmodified app, add Apple's App Attest, whose verdict is validated on your server and is far harder to forge than a client-side pin. Combine robust pinning for channel protection with server-side authorization and attestation for real trust, and design as if the client may be compromised, which is the durable posture.
Bypass approaches and their limits
Seeing the layers together shows where trust should live. The table below compares them.
| Layer | What it does | Limitation |
|---|---|---|
| Certificate pinning in the app | Rejects substitute server certificates, blocks interception | Runs on the device, hookable when compromised |
| SSL Kill Switch tweak | Disables validation and pinning system-wide | Needs a jailbroken device |
| Frida or Objection hooks | Force the trust check to pass | Any client-side check can be flipped |
| Server-side authorization and App Attest | Validates the request and app integrity server-side | Harder to forge; carries the real trust |
Read the table top to bottom: pinning and its bypasses all live on the client, while only server-side validation, which the device owner does not control, actually anchors trust.
Hardening checklist
Working through these steps keeps pinning effective while putting real trust server-side. The checklist below covers them.
| Step | Action | Done? |
|---|---|---|
| Test on your own app | Jailbroken or virtual device and a proxy you control | [ ] |
| Pin robustly | Public-key pins, backup pins, native where possible | [ ] |
| Do not rely on pinning alone | Authorize every request server-side | [ ] |
| Add client integrity | App Attest for sensitive operations | [ ] |
| Assume the owner sees traffic | Protect the API server-side, not via pinning | [ ] |
| Plan pin rotation | Backup pins to avoid outages on cert change | [ ] |
The step that changes your posture most is authorizing every request server-side, because it puts the deciding check where the device owner cannot alter it, unlike the pinning above it.
Assess your network-security posture
Because transport security is about more than a single pin, seeing your app's actual posture helps, including whether pinning is present, whether cleartext traffic is allowed, and how sensitive data travels. Knowing this is the input to hardening the channel and deciding what must be enforced server-side.
A scanner like PTKD.com analyzes your build and reports issues such as weak transport security, allowed cleartext traffic, insecure data storage, and leaked keys by severity, mapped to OWASP MASVS, whose network category covers pinning and transport hardening. To be clear about the boundary: PTKD does not make pinning unbreakable, which nothing can on a compromised device, and it does not test a live bypass. It helps you see your transport and data-protection posture so you invest in the layers that actually carry trust.
What to take away
- iOS certificate pinning is a client-side control, so on a jailbroken or virtual device a tester can disable it with Objection, Frida, or SSL Kill Switch.
- Objection's ios sslpinning disable and Frida hooks target a specific app, while SSL Kill Switch disables validation system-wide, and Corellium provides a virtual iOS device for testing without physical jailbroken hardware.
- Test this only against your own app on a device you own, as a controlled OWASP-style network assessment, ideally with an intercepting proxy.
- Pinning protects users on healthy devices from interception, but it does not protect your API from the owner of a compromised device, so never treat it as anti-reverse-engineering.
- Pin robustly with backup public-key pins, enforce trust server-side with authorization and App Attest, and review your transport posture with a tool like PTKD.com.



